Red Hat Security Advisory: Red Hat Advanced Cluster Management for Kubernetes v2.11.10 security update
🔗 CVE IDs covered (16)
📋 Description
CVE-2025-9288 — sha.js: Missing type checks leading to hash rewind and passing on crafted data
CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions
CVE-2026-21721 — grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation
CVE-2026-22029 — @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects
CVE-2026-25639 — axios: Axios affected by Denial of Service via proto Key in mergeConfig
CVE-2026-42508 — golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey
CVE-2026-44486 — axios: Axios: Information disclosure of proxy credentials via HTTP redirects
CVE-2026-44487 — axios: Axios: Information disclosure of proxy credentials via redirect flows
CVE-2026-44488 — axios: Axios: Denial of Service due to unenforced request and response size limits
CVE-2026-44492 — axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization
CVE-2026-44494 — axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution
CVE-2026-44495 — axios: Axios: Information disclosure due to prototype pollution vulnerability
CVE-2026-44496 — axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name
CVE-2026-44990 — sanitize-html: sanitize-html: Stored Cross-Site Scripting via HTML sanitizer bypass
CVE-2026-46384 — github.com/hamba/avro/v2: github.com/linkedin/goavro/v2: Integer Overflow in Avro Decoder
CVE-2026-46385 — github.com/hamba/avro/v2: github.com/linkedin/goavro/v2: CPU Exhaustion in Avro Decoder via Unbounded Block-Count Iteration
🔗 References (20)
- selfhttps://access.redhat.com/errata/RHSA-2026:40138
- externalhttps://access.redhat.com/security/cve/CVE-2025-13465
- externalhttps://access.redhat.com/security/cve/CVE-2025-9288
- externalhttps://access.redhat.com/security/cve/CVE-2026-21721
- externalhttps://access.redhat.com/security/cve/CVE-2026-22029
- externalhttps://access.redhat.com/security/cve/CVE-2026-25639
- externalhttps://access.redhat.com/security/cve/CVE-2026-42508
- externalhttps://access.redhat.com/security/cve/CVE-2026-44486
- externalhttps://access.redhat.com/security/cve/CVE-2026-44487
- externalhttps://access.redhat.com/security/cve/CVE-2026-44488
- externalhttps://access.redhat.com/security/cve/CVE-2026-44492
- externalhttps://access.redhat.com/security/cve/CVE-2026-44494
- externalhttps://access.redhat.com/security/cve/CVE-2026-44495
- externalhttps://access.redhat.com/security/cve/CVE-2026-44496
- externalhttps://access.redhat.com/security/cve/CVE-2026-44990
- externalhttps://access.redhat.com/security/cve/CVE-2026-46384
- externalhttps://access.redhat.com/security/cve/CVE-2026-46385
- externalhttps://access.redhat.com/security/updates/classification/
- externalhttps://access.redhat.com/security/updates/classification/#important
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_40138.json